Researchers have revealed two very serious vulnerabilities in Avast and AVG antivirus products that have gone undetected for ten years.
On Thursday, SentinelOne released a security advisory on the flaws, tracked as CVE-2022-26522 and CVE-2022-26523.
Avast acquired AVG in 2016 for $1.3 billion. According to the cybersecurity firm, the vulnerabilities have existed since 2012 and could therefore have affected “tens of millions of users worldwide”.
CVE-2022-26522 and CVE-2022-26523 were found in the Avast Anti Rootkit driver, introduced in January 2012 and also used by AVG. The first vulnerability was present in a socket connection manager used by the kernel driver aswArPot.sys, and during routine operations an attacker could hijack a variable to elevate privileges.
Security products must operate with elevated privilege levels, and attackers able to exploit this flaw could potentially disable security solutions, alter a target operating system, or perform other malicious actions.
The second vulnerability, CVE-2022-26523, is described as “very similar” to CVE-2022-26522 and was present in the aswArPot+0xc4a3 function.
“Due to the nature of these vulnerabilities, they can be triggered from sandboxes and could be exploitable in contexts other than simple local privilege escalation,” SentinelLabs said. “For example, the vulnerabilities could be exploited as part of a second-stage browser attack or to perform a sandbox evasion, among other possibilities.”
SentinelLabs reported the vulnerabilities to Avast on December 20, 2021. On January 4, the cybersecurity solution provider had acknowledged receipt of the report and released patches in Avast v.22.1 to address the vulnerabilities after triage.
The vulnerabilities were fixed on February 11. SentinelLabs said there was no evidence of active logging in the wild.
Users should have automatically received the necessary updates and do not need to take any further action.
“The impact this could have on users and businesses that fail to apply patches is far-reaching and significant,” the company added. “We would like to thank Avast for their approach to our disclosure and for quickly patching the vulnerabilities.”
Avast told ZDNet:
“Avast is actively participating in the coordinated vulnerability disclosure process, and we appreciate that SentinelOne worked with us and provided a detailed analysis of the identified vulnerabilities. SentinelOne reported two vulnerabilities, now tracked as CVE-2022-26522 and CVE-2022-26523 , to us on December 20, 2021.
We worked on a fix released in version 22.1 in February 2022 and notified SentinelOne of this fix applied. Avast and AVG users have been automatically updated and are protected from any risk of exploitation, although we haven’t seen the vulnerabilities abused in the wild. We recommend our Avast and AVG users to constantly update their software to the latest version to be protected. Coordinated disclosure is a great way to prevent risks from translating into attacks, and we encourage participation in our bug bounty program.”
Previous and related coverage
Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0